Bug 31885 - cmark new security issue CVE-2023-22486
Summary: cmark new security issue CVE-2023-22486
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31945
  Show dependency treegraph
Reported: 2023-05-06 23:42 CEST by David Walser
Modified: 2023-05-21 23:56 CEST (History)
7 users (show)

See Also:
Source RPM: cmark-0.29.0-2.mga8.src.rpm
CVE: CVE-2023-22486
Status comment:


Description David Walser 2023-05-06 23:42:53 CEST
SUSE has issued an advisory on May 4:

The issue is fixed upstream in 0.30.3:
David Walser 2023-05-06 23:43:11 CEST

Status comment: (none) => Fixed upstream in 0.30.3

Comment 1 Mike Rambo 2023-05-08 19:05:17 CEST
Updated package built for Mageia 8


Patched cmark package fixes security vulnerability:

It was discovered that cmark incorrectly handled certain inputs. Fixes quadratic complexity in handle_close_bracket "![[]()" which may lead to a denial of service (CVE-2023-22486).

Noting that this also fixes a quadratic parsing issue with repeated <!-- that was not in a released product but which was assigned a CVE (CVE-2023-22484).


Updated packages in core/updates_testing:

from cmark-0.30.3-1.mga8.src.rpm

Assignee: mhrambo3501 => qa-bugs
CVE: (none) => CVE-2023-22486

David Walser 2023-05-09 00:28:11 CEST

Status comment: Fixed upstream in 0.30.3 => (none)
CC: (none) => mhrambo3501

Comment 2 Herman Viaene 2023-05-15 16:28:55 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki, no previous updates, so looking for info.
From MCC: " It also provides a command-line program (`cmark`) for parsing and rendering CommonMark documents."
Googling around what mightt be a "CommonMark document", didn't get any wiser.
Played with the command:

$ cmark --version
cmark 0.30.3 - CommonMark converter
(C) 2014-2016 John MacFarlane
$ cmark --help
Usage:   cmark [FILE*]
  --to, -t FORMAT  Specify output format (html, xml, man, commonmark, latex)
  --width WIDTH    Specify wrap width (default 0 = nowrap)
  --sourcepos      Include source position attribute
  --hardbreaks     Treat newlines as hard line breaks
  --nobreaks       Render soft line breaks as spaces
  --safe           Omit raw HTML and dangerous URLs
  --unsafe         Render raw HTML and dangerous URLs
  --smart          Use smart punctuation
  --validate-utf8  Replace invalid UTF-8 sequences with U+FFFD
  --help, -h       Print usage information
  --version        Print version

I will not object the OK if someone decides this is sufficient.

CC: (none) => herman.viaene

Comment 3 Len Lawrence 2023-05-19 13:47:06 CEST
Neochat requires the library but deals with matters a little outside our purview:
"NeoChat is a client for Matrix, the decentralized communication protocol for instant messaging."
mkvtoolnix-gui also needs the library.  That has something to do with multiplexing in the context of building matroska files (MKV container files) which is rather too specialised for us.

Apart from following the tutorial for cmark and attempting to build an HTML document containing markdown directives there is not much we can do with this IMHO.  Might have a go at that sometime.

The packages update cleanly so I agree with Herman.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-05-20 02:56:52 CEST
Validated. Advisory in comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-05-21 03:21:14 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-05-21 10:44:30 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Thomas Backlund 2023-05-21 14:13:19 CEST

Blocks: (none) => 31945

Comment 6 Eric Petit 2023-05-21 22:35:44 CEST
today, MGA8 update ask to remove mkvtoolnix-gui, after i canot install it back :

urpmi mkvtoolnix-gui
Le paquetage suivant ne peut pas être installé, car il dépend
de paquetage qui sont plus anciens que la version installée :

CC: (none) => surfzoid

Comment 7 Dave Hodgins 2023-05-21 23:56:27 CEST
Fix is in progress. See bug 31945

Note You need to log in before you can comment on or make changes to this bug.